Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules by Dom Nicastro White paper The lax days of complying with privacy and security laws are over for business associates (BA). For the first time since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) became law in 2003, BAs of covered entities must comply directly with the HIPAA security privacy rules, according to the Health Information Technology for Economic and Clinical Health (HITECH) Act. The security rule, which complements the HIPAA privacy rule, includes safeguards for protecting patients electronic protected health information (PHI), based on three components: Administrative: Organizations must have procedures that show how they will comply with the security rule Physical: Organizations must control how patients records are physically accessed and prevent inappropriate access Technical: Organizations must have a system to control computer access and monitor and protect communication that flows electronically over open networks Until February 17, when President Obama signed the American Recovery and Reinvestment Act of 2009 (ARRA) into law, only covered entities were required to comply with the security and privacy rules. However, the HITECH Act, or Title XIII of the ARRA, specifies that BAs defined by the Centers for Medicare & Medicaid Services (CMS) as those who do not work for a covered entity but handle PHI must comply with both HIPAA rules (the complete security rule and the use of disclosure provisions in the privacy rule). The compliance date is February 18, 2010. FEATURES BA requirements 2 Unsecure PHI 3 Penalties for noncompliance 4 Action plan 4 Conclusion 6 I ve done over 150 business associate security and privacy program reviews, and one of the most common answers I get from business associates is that, Well, HIPAA does not apply to us, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, privacy, security, and compliance consultant at Rebecca Herold & Associates, LLC, in Des Moines, IA. They can t say that anymore. They can no longer argue that they don t have to have safeguards in place. Section 13401 of the HITECH Act includes the new BA requirements. The act also states that civil and criminal penalties for violations of the HIPAA and compliance audits apply directly to BAs. Covered entities must incorporate these additional requirements in their agreements with BAs, according to the new law. Business associates and HIPAA June 2009
2 Business associates and HIPAA June 2009 BAs must notify covered entities of any breaches and provide detailed information about the breach, along with the names and contact information of individuals involved. BA requirements The HITECH Act calls for BAs to do the following: Comply with the use and disclosure requirements of the HIPAA privacy rule (Section 13404) and include those terms in the contract with the covered entity Notify the covered entity of any individual whose unsecured PHI has been inappropriately released or obtained Ensure that the notification meets the following provisions of Section 13402: A breach is considered discovered on the first day a covered entity or BA knows or should have known about it BAs must notify covered entities of any breaches and provide detailed information about the breach, along with the names and contact information of individuals involved Covered entities and BAs must notify individuals about a breach as soon as possible, but no later than 60 days following discovery of the breach Delays in notification must include evidence demonstrating the necessity of the delay When notifying individuals (or their next of kin if an individual has died) about a breach, the covered entity or BA giving notification must: Provide written notification by first-class mail or, if the individual has indicated a preference, via e-mail (consent must be obtained for e-mails) and send follow-up mailings, if necessary, as more information becomes available Post a notice about the breach on the home page of the BA s Web site or in major print or broadcast media in the event the incident involves 10 or more individuals whose contact information is out of date Send notices to prominent media outlets if a breach involves more than 500 residents in a state or jurisdiction Immediately notify the U.S. Department of Health and Human Services (HHS) secretary of a breach that involves more than 500 people Submit an annual report to the HHS secretary documenting any breaches that involved fewer than 500 people during the year Maintain a log for breaches involving fewer than 500 individuals Include the following information in the notification: A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known A description of the types of unsecured PHI that were involved in the breach (e.g., full name, Social Security number, date of birth, home address, account number, or disability code) The steps individuals should take to protect themselves from potential harm resulting from the breach
June 2009 Business associates and HIPAA 3 A brief description of what the covered entity and BA are doing to investigate the breach, mitigate losses, and protect against further breaches Contact information, including a toll-free telephone number, e-mail address, Web site, or postal address, so individuals can ask follow-up questions and obtain additional information Note: Personal health record (PHR) vendors and third-party providers must notify the Federal Trade Commission (FTC) of any breaches. The FTC is required to inform HHS if it is notified of a breach by a PHR vendor or thirdparty provider, which are also considered BAs. The FTC will also publish notification requirements for PHR vendors and third-party providers. Unsecure PHI Notification requirements rely on the HHS definition of unsecure PHI. According to the HITECH Act, HHS must issue its final guidance on securing PHI by August 18. HHS issued a guidance proposal for security breach notification in a 20-page April 17 report that defines acceptable conditions for covered entities and BAs to encrypt or destroy their private patient data to secure PHI and prevent a breach. The public comment period ended May 21. BAs are not required to follow the guidance. However, if they do, it creates a safe harbor and protects them when a security breach occurs, according to the new HHS report. BAs are not required to follow the guidance. However, if they do, it creates a safe harbor and protects them should a security breach occur, according to the new HHS report. In general, HHS specifies two methods for protecting data: encryption (for information flowing out of a network) and destruction (for paper and electronic records). HHS defines acceptable encryption in these ways: Electronic PHI that is encrypted as specified in the HIPAA security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key Valid encryption processes for data in databases, file systems, and other storage methods that is consistent with National Institute of Standards and Technology (NIST) Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices Valid encryption processes for data moving through a network, including wireless, which comply with requirements of Federal Information Processing Standard 140-2 The following are breach notification tips for BAs from John R. Christiansen, an information technology lawyer at Seattle s Christiansen IT Law: Determine possible NIST compliance to secure information Review and update security breach notification policies, especially if you can t meet NIST secure standards Negotiate and implement notification coordination agreement with key business partners
4 Business associates and HIPAA June 2009 HHS defines acceptable destruction as paper, film, or other hard copy media that have been shredded or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization. Penalties for noncompliance Section 13410 of the HITECH Act provides a tiered system for assessing the level and penalty of each violation. CMS, which enforces the HIPAA security rule, and the Office for Civil Rights, which enforces the HIPAA privacy rule, can supersede the following limits, but with a cap of $50,000 per violation and $1.5 million for the calendar year for the same type of violation: Tier A is for cases in which offenders didn t realize they violated the act and would have handled the matter differently if they had Minimum per violation: $100 Maximum per calendar year: $25,000 Tier B is for violations due to reasonable cause, and not to willful neglect, although HHS still must define reasonable cause Minimum per violation: $1,000 Maximum per calendar year: $50,000 Tier C is for infringements that the organization corrected but were due to willful neglect Minimum per violation: $10,000 Maximum per calendar year: $250,000 Tier D is for violations due to willful neglect that the organization did not correct Minimum per violation: $50,000 Maximum per calendar year: $1.5 million BAs have time to prepare for the February 18, 2010, compliance date. In the meantime, take these steps today. Action plan BAs have time to prepare for the February 18, 2010, compliance date. In the meantime, take the following steps: Perform a risk assessment. Determine your primary vulnerabilities. Find what your biggest threats to the security of your PHI are, Herold says. You need to know where you are before you begin to form your policies and procedures. Check on the last time you had a security assessment, if ever, and start from there. Make your own way. As a BA, you must understand that you are responsible for your own compliance program, regardless of contract terms with a covered entity, says Christiansen. You need to be responsible for your own security program with HIPAA, says Christiansen, chair of the newly formed HITECH Business Associates Task Force of the American Bar Association s Health Law Section and the HITRUST Business Associates Working Group of the Health Information Trust Alliance. Do not simply accept what is thrown your way, he says. Your program should be built based upon your organization s own unique risks, says Herold. That s what your risk assessment will reveal.
June 2009 Business associates and HIPAA 5 Run a gap analysis on covered entity contracts. HITECH is new, and existing contracts will probably leave gaps. Run a gap analysis on covered entity contracts. HITECH is new, and existing contracts will probably leave gaps. We haven t been in this world before, Christiansen says. Find your gaps and what you will do about them. You may want to wait for further regulations before you finalize your contracts. However, start by consulting your legal team. You may need to provide a contract in the future, but the onus now is only on the covered entity, according to current law. Don t rewrite the entire contract. The changes to the BA contracts should be minimal, says Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, OR. Apgar suggests including a new short statement or paragraph indicating that the BA must now comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule. Add breach notification language to BA contracts. The language should require the BA to notify the covered entity within five days of a breach, Apgar says. This aligns with the new California breach notification requirement regarding the notification to the state Business associates Who are you? The Health Information Technology for Economic and Clinical Health Act clarifies that organizations that provide data transmission of protected health information and requires access to that information, such as Regional Health Information Organizations, are now considered business associates (BA) and must enter into written contracts with covered entities. The act also includes a new category of BA personal health record (PHR) vendors who contract with covered entities to provide a PHR to their patients or health plan members. Some other examples of BAs are: Transcriptionists Contract coders Contracted laboratory and radiology departments Third-party billers Collection agencies Software vendors Interpreters Hospital couriers Pharmacies with hospital contracts Contracted cleaning staff members Security shredding companies Waste management companies Off-site storage facilities Auditors Web design contractors Marketing contractors Consultants
6 Business associates and HIPAA June 2009 that a breach has occurred and addresses the issue of when the 60-day notification clock starts. Also, I would recommend adding language requiring that the BA pay the cost of notification, which could get rather expensive if the breach includes a significant number of individuals, Apgar says. Add language about the Red Flags Rule. Covered entities (primarily providers) should consider adding additional language to the BA contract requiring that certain BAs implement identity theft management programs, Apgar says. The Red Flags Rule requires covered entities considered to be creditors by FTC standards to adopt an identity theft prevention program by August 1. Build your breach notification processes. This is perhaps the biggest change for BAs. Christiansen says BAs must put a policy in writing per the HITECH Act. You need to be able to coordinate this by fall [of 2009] at the latest, he says. This is going to be a big issue for a lot of BAs. Train, train, train. Herold says she s seen horrible training in the BA community. Make sure your policies document the need for regular training, along with ongoing awareness communications, she says. Then use effective training content. Just throwing words in front of your personnel is not training. Get your hands on HIPAA resources, such as training books, e-learning courses, and webinars. Check with your covered entities to see what they have done. Since HIPAA s security rule was enacted in 2003, compliance has been essentially a one-way street the burden being on the covered entity. Conclusion The new compliance requirements are a long time coming, says John C. Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and chair of the team that created the HIPAA security rule. Since HIPAA s security rule was enacted in 2003, compliance has been essentially a one-way street the burden being on the covered entity. There has always been this undercurrent in the industry of let s make this playing field level between business associates and covered entities, says Parmigiani. It s been espoused a number of times in the last four or five years, and now we ve seen it come to fruition. There s been this feeling all along that with the covered entity, the onus is all on them. This latest enhancement of HIPAA gets back to a basic principle of security and one which was trumpeted in the proposed security rule that being, creating a chain of trust so that every component that handles PHI provides equal protection. n Resources The American Recovery and Reinvestment Act of 2009, February 2009. Editor s note: Dom Nicastro is senior managing editor of HCPro s Briefings on HIPAA and Health Information Compliance Insider newsletters. 06/09 SR3809